Skip to main content
AHO

Privacy Policy

Last updated: 2026-05-06

This Privacy Policy describes how AHO (Advertise Homes Online), operating at advertisehomes.online, collects, uses, shares, and protects information about real-estate agents who subscribe to publish listings and the buyers who browse and contact them. Read it together with our Terms of Service.

1. Who is responsible for your data

AHO operates the platform. For privacy questions, write to privacy@advertisehomes.online. Postal correspondence is available on request.

2. What we collect, and why

From everyone (browsing without an account)

  • Anonymous visitor cookie (one UUID, non-trackable across sites) — lets us remember your recently-viewed listings and saved searches across page reloads. Strictly functional; no advertising profiling.
  • Device/connection metadata — IP address, user-agent, and referrer at the moment of a request. Used for rate-limiting against abuse and for diagnosing errors. Logs are retained for up to 30 days then aggregated.
  • Bot-protection signal — when you submit a contact form or sign in, Cloudflare Turnstile generates a one-time token to confirm you're not automated. We send only the token to Cloudflare, not your form contents.
  • Chat-widget signup — before starting a conversation with a listing's AI assistant, we ask for your name and email address and require you to accept these terms. Submitting that form adds you to AHO's newsletter contact list (stored at our email provider, Brevo) with the timestamp of your consent. We use it for occasional product updates and market notes — typically once a month. You can unsubscribe instantly via the link in any email; doing so removes you from all future sends. The agent you chatted with separately receives any contact details you choose to share inside the conversation; the newsletter subscription is independent of that.

From buyers who create an account

  • Authentication — email address, hashed password (or OAuth identifier when you sign in with Google), email-verification status.
  • Preferences — display language (EN/ES), currency, theme, country/city for localized search defaults.
  • Activity — saved searches you opt into, favorited listings, recent views (merged from your anonymous cookie when you sign in).
  • Contact-form submissions you send to agents — your name, email, optional phone, and message text. Forwarded to the agent and stored so the agent can respond.
  • Reviews you write — rating, body text, the listing you referenced, and the email used to verify the review.

From agents who subscribe

  • Profile — full name, avatar (uploaded photo), bio, specialties, languages spoken, website, WhatsApp number, social-media URLs, headquarters city and country.
  • Listings — photos, addresses, neighborhood, prices, property attributes, descriptions in EN and/or ES. Photos are stored on Cloudflare R2; delivery variants on Cloudflare Images.
  • Sales record — when a listing is marked as sold or rented: closing date, optional closing price, which side you represented (buyer, seller, or both).
  • Lead inbox — every contact-form submission tied to a listing you own.
  • Subscription state — Stripe customer ID, plan tier, billing period, current period end. We do not see, store, or process your card number — Stripe handles that and shares only the metadata above.
  • Social-channel tokens (Pro Automation tier only) — OAuth tokens for Facebook, Instagram, and WhatsApp Business so we can post listings on your behalf. Encrypted at rest. You can revoke any time from the dashboard.

3. Legal bases (GDPR Art. 6)

  • Contract — agent subscriptions, listing publication, contact forwarding, billing.
  • Legitimate interest — anti-abuse (rate-limit, Turnstile, honeypot), aggregated analytics, fraud prevention, security logging.
  • Consent — saved-search email digests (opt-in via the dashboard toggle), any future marketing emails. You can withdraw consent any time.
  • Legal obligation — retaining billing records as required by tax law (typically 7 years).

4. Who we share data with

We share data only with processors who help us run the service, all under Data Processing Agreements with appropriate safeguards. We do not sell, rent, or barter personal data.

  • Supabase (Frankfurt, EU) — hosts our database and authentication. Row-Level Security policies enforce per-user data isolation inside the database.
  • Cloudflare (global) — application hosting (Pages, Workers), CDN, image delivery, Turnstile bot protection, and KV rate limiting.
  • Stripe (US, with EU presence) — subscription billing and payment processing. Stripe is PCI-DSS Level 1 certified. Card numbers never touch our servers.
  • Brevo (France, EU) — transactional emails (welcome, password reset, lead notifications, saved-search digests).
  • Meta (Facebook, Instagram, WhatsApp) — only when you are a Pro Automation subscriber and have explicitly connected the channel; we then publish your listing content via Meta's Graph API on your behalf.

We disclose data to law enforcement only on receipt of a valid legal request, and we attempt to notify the affected user unless we are legally barred from doing so.

5. International transfers

Some processors (notably Stripe and Cloudflare) operate globally. Where data leaves the European Economic Area, we rely on Standard Contractual Clauses (SCCs) and the processor's own Transfer Impact Assessments. Our primary database is in the EU (Supabase Frankfurt).

6. How long we keep data

  • Account data — until you delete the account. Deletion is self-service from the dashboard's Profile page.
  • Active listings — for the duration the listing is published, plus up to 90 days after archival to allow restore.
  • Lead messages — 24 months from receipt.
  • Anonymous visitor events — 12 months in identifiable form, then permanently aggregated.
  • Stripe billing records — 7 years to meet tax-record obligations.
  • Operational logs (request logs, rate-limit counters, error traces) — up to 30 days.

7. Your rights

Under GDPR (EU), CCPA (California) and analogous frameworks, you can:

  • Access the personal data we hold about you;
  • Correct inaccurate data — most fields are self-service in your dashboard;
  • Delete your account — self-service from the Profile page; cascades to your listings, leads, reviews, saved searches, and social tokens. Stripe billing records are anonymized but retained where required by law;
  • Export your data in a portable format — request via privacy@advertisehomes.online;
  • Object to processing based on legitimate interests;
  • Withdraw consent (notably for email digests) — any time, from the dashboard;
  • Lodge a complaint with your supervisory authority (e.g., your country's data protection agency).

8. Cookies and similar technologies

We use a small number of strictly-necessary cookies and one anonymous-visitor UUID. We do not use third-party advertising cookies or cross-site trackers.

  • Auth session cookie (set when you sign in) — required for the dashboard to know who you are.
  • Locale preference cookie — remembers EN/ES choice.
  • Anonymous visitor UUID — lets us merge your anonymous recent-views into your account if you sign up later.
  • Cloudflare Turnstile cookie — issued by Cloudflare during the bot challenge; expires within minutes of completion.

9. Security

HTTPS is enforced everywhere. The database uses Row-Level Security so a user can never read another user's data through normal application paths. Service-role credentials are scoped to specific server functions and never exposed to the browser. Stripe webhooks are signature-verified and idempotent. Lead-form abuse is mitigated by a honeypot field, Cloudflare Turnstile, and a per-IP rate limit. Where a security incident affects you, we will notify you within 72 hours of becoming aware, as required by GDPR Art. 33–34.

10. Children

AHO is not intended for users under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact privacy@advertisehomes.online and we will delete it.

11. Changes to this policy

Material changes will be communicated by email to account holders at least 14 days before they take effect. Non-material changes (clarifications, processor updates) are reflected by updating the "Last updated" date above.

12. Contact

Privacy questions, requests, or complaints — privacy@advertisehomes.online.